Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of detecting and remediating a network of compromised computers, comprising: collecting, using a hardware processor, Domain Name System (DNS) data for a domain; examining, using the hardware processor, the collected data to determine whether third level domain requests exceed second level domain requests for the domain; and responsive to determining that the third level domain requests exceed the second level domain requests for the domain, determining that the domain is associated with a command and control computer for a botnet.
2. The method of claim 1 , wherein the DNS data comprises DNS queries.
3. The method of claim 1 , further comprising: observing time zone and time of release information for the collected data.
4. The method of claim 1 , wherein determining that the domain is associated with a command and control computer comprises determining a canonical SLD request rate; and determining if the determined canonical SLD request rate against deviates from a known mean.
5. The method of claim 1 , further comprising, identifying, using the hardware processor, the internet protocol (IP) address of the command and control computer; and assigning, using the hardware processor, a sinkhole device to the IP address of the command and control computer.
6. The method of claim 5 , wherein the sinkhole device captures network traffic from one or more infected bot computers.
7. The method of claim 6 , further comprising analyzing, using the hardware processor, the network traffic from the one or more infected bot computers.
8. The method of claim 7 , wherein the network traffic comprises at least one of information about attaching networks, victim information, operating system type, software installed, and patch level of installed software.
9. The method of claim 7 , further comprising sharing, using the hardware processor, the analyzed network traffic from the one or more infected bot computers with a third party system.
10. The method of claim 7 , further comprising requesting, using the hardware processor, that the domain associated with the command and control computer be revoked.
11. The method of claim 6 , further comprising: determining, based on the analyzed network traffic, an amount of synchronous requests from the one or more infected bots computers; and generating, based the amount of synchronous requests, a diurnal model for at least one time zone.
12. The method of claim 11 , wherein the diurnal model for at least one time zone comprises a diurnal model for a plurality of time zones, and further comprising: ranking the diurnal models for a plurality of time zones based on at least one of priority and patch management.
13. The method of claim 12 , further comprising predicting, based on the ranking of the diurnal models, a short term growth of the botnet.
14. The method of claim 6 , further comprising responding, using a tarpit device, to at least one of the one or more infected bot computers synchronous requests with at least one of a reset command, a blackholed response, a single acknowledgement, a plurality of acknowledgements, and a command to connect to another tarpit.
15. The method of claim 14 , wherein the tarpit device is at least one of a network player tarpit, routing layer, and an application layer tarpit.
16. The method of claim 1 , wherein examining the collected data further comprises: analyzing one or more non-recursive DNS queries stored in a DNS cache.
17. The method of claim 16 , wherein the non-recursive DNS queries have a time-to-live value.
18. An information handling device for detecting and remediating a network of compromised computers, comprising: at least one hardware processor; and a computer readable storage device having computer readable program code embodied therewith and executable by the at least one hardware processor, the computer readable program code comprising: computer readable program code that collects Domain Name System (DNS) data for a domain; computer readable program code that examines the collected data to determine whether third level domain requests exceed second level domain requests for the domain; and responsive to determining that the third level domain requests exceed the second level domain requests for the domain, computer readable program code that determines that the domain is associated with a command and control computer for a botnet.
19. A method of detecting and remediating a network of compromised computers, comprising: collecting, using a hardware processor, Domain Name System (DNS) data for a domain; examining, using the hardware processor, the collected data to determine whether third level domain exceed of second level domain requests for the domain; and determining, based on the examining, that the domain is associated with a command and control computer for a botnet, wherein determining that the domain is associated with a command and control computer comprises determining a canonical SLD request rate.
Unknown
August 7, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.